All Apps and Add-ons

Deployment App strategy

trross33
Path Finder

Would anyone have advice on the following?

I am deploying the splunk Universal forwarder in a mixed windows environment. I have some IIS servers, some 2003 servers, some 2008 servers, and a few other applications as well.

When configuring deployment apps to be sent to the universal forwarder on these servers, is it best to configure a separate app for each "type" of server. For example,

  1. Have a blanket/generic app that deploys to all windows servers, which collects generic data that I would want to collect on all windows servers.
  2. Create a separate app for IIS servers, which will collect the IIS log that doesn't exist on every server.
  3. Blacklist the IIS servers from the blanket/generic app.

-OR-

Would it be best to just deploy one app to all windows servers, including the collection for the IIS log. I'm assuming it will only generate an error that the log cannot be found...

I'm just curious as to how granular a person should get, or if granularizing for this purpose is just management overhead with little benefit.

Thanks!

0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

I would create:

  • one app for base Windows OS data
  • one app for IIS application, just specifying collection of IIS data
  • one more app for each other type of application with a distinct set of data and properties (if any, e.g., if someday you monitor Exchange, or MSSQL, or whatever)

First, whitelist/list all Windows servers into a class for the first app. Then, whitelist all IIS servers for the second app in a different class, and so on for each app.

The inputs will layer on top of each other, so it's fine to have a server whitelist into multiple apps.

This approach allows you to change and manage according to the application or use case, rather than according to sets of servers. This would be a best practice. In general, you should create apps that describe the application or use case, regardless of what server it's on, then map those to the appropriate servers using Deployment Server.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

I would create:

  • one app for base Windows OS data
  • one app for IIS application, just specifying collection of IIS data
  • one more app for each other type of application with a distinct set of data and properties (if any, e.g., if someday you monitor Exchange, or MSSQL, or whatever)

First, whitelist/list all Windows servers into a class for the first app. Then, whitelist all IIS servers for the second app in a different class, and so on for each app.

The inputs will layer on top of each other, so it's fine to have a server whitelist into multiple apps.

This approach allows you to change and manage according to the application or use case, rather than according to sets of servers. This would be a best practice. In general, you should create apps that describe the application or use case, regardless of what server it's on, then map those to the appropriate servers using Deployment Server.

trross33
Path Finder

So If I am deploying the splunk for windows app for these servers, and using it's input file, would it be best to just add another input file for the other servers, in a separate app, or copy the splunk for windows app, rename it, and modify it's input file... Thanks...

0 Karma

hazekamp
Builder

trross33,

I would personally recommend creating a "base" deployment application which has a common set of inputs for data you want to collect across the environment. From there you can create specific deployment applications which address inputs on a per server type basis. In the example above the IIS server would get both the "win_base" input app and the "iis" input app. An exchange server might get the "win_base" input app and the "exchange" input app.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...